If you have been even remotely in touch with technology in the past thirty years you have probably heard of this thing called a “firewall”. If not, a “firewall” decides what does and does not get to proceed through it. Most organizations have one of these protecting their network from the rest of the Internet. Some organizations place them in the most opportune spots to segment off specific areas of their internal network. The system you are using right now to read this blog post most likely has a firewall built-in.

The general consensus about what a firewall does is that it keeps “bad stuff” from entering a protected network or system. But firewalls can also keep things from leaving a network or system. This is called “egress filtering”.

Why Should We Care What Leaves?

The simple answer is the more ports allowed out, the easier it is for an attacker to establish command and control. If there are no outbound filters put in place an organization can quickly lose visibility into what is leaving the network. This can lead to malware infections, command and control sessions going unnoticed, or insider employees getting around corporate network policies.

If you are the one in charge of the firewall at your organization, how do you go about knowing what is allowed out of your network quickly without diving into your firewall rule sets?

If you are a pentester, how can you quickly find out what ports are allowed out of a network that can be used as a command and control channel?

AllPorts.Exposed

AllPorts.Exposed is an Internet-resident system with (as the name suggests) all 65535 TCP ports open on it. If you were to portscan it from a system/network without firewall protection you should see that all ports are “open”. Now, if you were to portscan this system from within your network protected by a firewall, and you see open ports, these ports can be assumed as being allowed outbound through the firewall.

How To Test It?

Yes, you could use something like Nmap to do a simple portscan but I prefer PowerShell for this task as it is built into Windows operating systems. Often-times, when we are performing a pentest we are working from a Windows-based system and are typically not an administrator user. So, installing external tools can be difficult.

Here is a short PowerShell portscanning script you can use to test ports 1-1024 against allports.exposed.

In the following screenshot you can see where the script prints ‘open’ to the terminal window for ports that were discovered as being open.

Alternatively, if you would like to just check for certain ports you can comma-separate each port you would like to scan at the beginning of the script in place of “1..1024”. For example, the following script will only scan ports 21, 22, 23, 25, 80, 443, and 1337.

In conclusion, knowing what ports are allowed out of a network is very important for both pentesters and network admins. Each port allowed outbound from a network creates an additional exit point for attackers to utilize. BHIS recommends locking down egress traffic to only the ports required for the business to function. If possible, implement a web proxy and only allow outbound web traffic from it. Block all outbound traffic from client systems, and force their web browsers to use the web proxy to perform web browsing.

Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Related

Follow Us

Looking For Something?

Subscribe to the BHISblog

Don't get left in the dark! Enter your email address and every time a post goes live you'll get instant notification! We'll also add you to our webcast list, so you won't miss our occasional emails about upcoming events! (We promise, we're not spammy!)